DEV Community: dhanush 

SSH Protocol Working - Authentication & Encryption

dhanush  — Thu, 16 Jul 2020 10:11:36 +0000

Intro

SSH is the most important network cryptographic protocol after SSL. It lets you securely connect and access the shell of a remote machine to execute commands on it. SSH works based on a client-server model where an ssh client in a machine can connect to the ssh server on another machine. It creates a secure tunnel between two hosts (client and server) by encrypting all the data that flows between the channel. This encryption-based connection ensures that you get the utmost privacy during communication. SSH also provides you the option of using the public key authentication technique for authorizing the users. This way of authentication is far better than password authentication as you will see.

Let's stop this intro right here and get into the intricate details about how SSH authorizes users and encrypts the data flow between them. The devil is in the details.

SSH AUTHORIZATION

Authorizing the right user is important when it comes to remote access. It is easy to exploit a user's identity in remote access than in-person access. By default, users can use the password of the remote machine and its user for authentication in ssh. Password authentication is easy and simple, but it is not secure as a malicious user can easily brute-force the remote machine if the password is weak.

Public key authentication is optional in ssh for authorization, but you should opt for it as it provides vastly improved security over password-based authentication. This method is used for authorizing a client to the server and vice versa. Let's see how it works.

note - Public key authentication is based on asymmetric encryption algorithms such as RSA. The asymmetric encryption algorithm uses two keys - public key & private key for encryption and decryption. The two keys are created in such a way that any file encrypted by the public key can only be decrypted by its equivalent private key.

CLIENT AUTHENTICATION

Step 1 - ssh client should create its asymmetric encryption keys (public and private). This can be easily done with the help of the ssh-keygen command in the Openssh client software.
Step 2 - The public key of the client should be transported to the ssh server's authorized keys file. The authorized keys file of the server contains the public keys of the different ssh clients that wish to communicates with the server. This transport of the keys can be done manually or with ssh-copy-id command. The private key of the client should be kept private with the client and can be further protected using a passphrase.
note - The authorized keys file on the ssh server is important. If a malicious user somehow transports his public key to this file, then the malicious user can log in to the server without any other credentials.
Step 3 - After finishing the initial communication with the server, the client will select the public key method for authorization. For client authentication, the server encrypts a random 256-bit string using the client's public key from the authorized keys file. It then sends this encrypted text to the client. As you know that only the equivalent private key can decrypt the contents encrypted by the public key, so if the client has the private key, it can decrypt the content sent by the server. Only the authorized client can decrypt this file as they only have the private key.
Step 4 - The client then combines the common session key (will explain later) with the decrypted content and generates a hash of this combination. This hash is sent to the server.
Step 5 - The server, in turn, generates its hash with the session key and the 256-bit random string. The hash sent by the client is compared with the hash generated. If the hash is matched, then the client is authenticated.

SERVER AUTHENTICATION

Step 1 - Server authentication by the client happens before the client authentication. The server has its own set of the public and private key for authentication.
Step 2 - For server authentication to happen, the client must initially have a copy of the server's public key in its known host's file. The public key is sent by the admin of the server to the client and is saved to the known host's file of the client. During the initial communication, the server sends its public key fingerprint to the client, and the client compares it with its own copy of the server's public key in the known host's file. This checking authenticates the server. note - public key fingerprint is nothing but a hash of the public key. The hash uniquely identifies the key, so it is called a fingerprint.
Step 3 - Normally, you won't have the server's public key when you connect to the server for the first time if there are no administrators or other people to send it. So, the client cannot validate the fingerprint sent by the server. Here, the client warns the user when connecting for the first time. In the future connection, you won't get any warnings as the server key will be added to the known host's file during the first connection with the warning.

As you can see, the authentication uses heavily the asymmetric encryption algorithm, mainly the RSA & DSA. It authenticates securely than just using a password.

Some cool things to know about SSH

I've said that SSH is used for executing commands on a remote shell. That is true, but it can also do a lot more than that by using the scp (secure copy), SFTP (Secure File Transfer Protocol), and SSHFS (SSH File System). The scp is a command that lets you copy files between two hosts. SFTP is a protocol like FTP that transfers files between the hosts. SSHFS lets you mount the file system of a remote machine to a host machine. All these works on top of SSH, so you get all the privacy and other benefits from it.

SSH ENCRYPTION

After authenticating both the client and server, you need to create an encrypted channel to pass data securely between the hosts. This is done using the symmetric encryption algorithm. The symmetric algorithm uses a single key to encrypt and decrypt the data. This single key is called a session key (mentioned earlier). There needs to be a way to create the same session key between the client and the server with any compromise. Here, the key exchange algorithm comes into play. SSH uses the Diffie Helman key exchange algorithm to share the common session key without leaking it to any third party. How this key exchange algorithm works is beyond the scope of this article as it needs a separate post to explain. This generation of the session key happens after the server authentication and before the client authentication. After the generation of the session key, all the data that is passed between the client and server is encrypted using it to provide the utmost privacy.

Conclusion:

SSH, with its beautiful implementation of symmetric encryption, asymmetric encryption, and hashing techniques maintains privacy, integrity, and establishes proper authentication. With this implementation, it becomes next to impossible for a malicious user to eavesdrop, perform a man in the middle attack, or other attacks. Hopefully, you got some knowledge about the working of SSH with this post. I'll try to make a similar post for SSL if time permits. Thanks for reading!

Proxychains - All the what's and how's.

dhanush  — Sun, 10 May 2020 11:41:44 +0000

I’ve been using Ubuntu as my main OS for the past couple of years after a decade of using Windows. To be frank, the Linux experience is pretty awesome. I am learning a lot of things by using Linux as my main OS. One such thing that I learned is the Proxychains. In this post, I’ll explain all about it so we can both get knowledge about Proxychains.

How did I come across it?

I am a computer guy, so obviously, I use VPN. Betternet was the choice of my VPN when I was using Windows. On the Linux side, I tried various options like OpenVPN and many others. But there were problems like slow connection speed, unreliability, etc. I came across Proxychains while I was learning about cybersecurity, and I was quite intrigued by the concept. Now I use Proxychains to access the sites that are blocked by my country without any issue. The Proxychains also provide better anonymity than a regular VPN. Let’s see how.

What is it?

When you use a VPN, there is just only one proxy server between you and your destination. The VPN client present in your system encrypts your data and sends it to the VPN server. This server acts as a proxy on behalf of you and communicates with your target host. This system creates a good level of anonymity for any client. But you leave a trail of your activity with the proxy server every time you use a VPN. If your VPN provider is not up to the standards, then there is a high chance that someone will able to track you even though you use a VPN. There is also a good chance of a DNS leak with your VPN service.

To combat this, you can use Proxychains. Proxychains is a tool that forces every TCP communication coming out of your system to go through different proxies. As the name suggests, you can chain multiple proxies with the Proxychains and your connection will go through these different proxies before reaching your target. This method of chaining proxies gives you much more anonymity than a standard VPN. It also has the option to mitigate the DNS leak problem. With a Proxychain, you can configure different proxy protocols such as SOCKS 4, SOCKS 5, and HTTPS. You can even configure Tor proxy with it. You need to have servers with these aforementioned proxy protocols to work with the proxychains.

How to install it?

Proxychains is a tool that is written only for GNU/Linux systems, so if you are using Windows, you need to find some alternatives. The Proxychains is installed by default on Kali and some other distributions. If you don’t have Proxychains pre-installed, then you can download it from the repository using your package manager tool. I am on Ubuntu, so I use the ‘apt’ command to install the software.

$sudo apt install proxychains

You should also install Tor if you intend to use the tor proxy with proxychains.

$sudo apt install tor

How to configure proxychains?

Once you install Proxychains, you can configure the tool with its configuration file. The proxychians.conf file is located in the /etc/proxychains.conf. Open this file with your favorite text editor. Mine is nano.

$cd /etc/
$nano proxychains.conf

Once you open it, you will see that there are different ways to configure the chain of proxies such as dynamic, random, and strict. You can comment or uncomment the name(dynamic_chain, random_chain, strict_chain) to enable or disable the specific option. I am using the dynamic_chain option to route packets through the proxies. You can read about the options in the configuration file to know more about it. If you scroll down a bit, there will be a line “Proxy DNS requests — no leaks for DNS” commented. You should remove the hashtag to prevent DNS leak while using the proxychains. Scroll down further to see the list where you can add your proxies. The file also gives you some examples of how to add the proxies. By default, the Proxychains use tor. If you don’t want to use tor, you can comment out the first line out and add your own proxies. You can get some https or socks 5 proxy servers from this link. Save and close the file. Then, you can see the Proxychain in action by using it with your favorite browser.

$proxychains firefox

The above command will open firefox and force all the TCP connections to go through the proxies that you configured in the file. You can see how the connections work in the terminal.

If you wish to use the Tor proxy, leave the default proxy configuration list in the proxychains.conf file. By default, the Proxychains send the traffic through our localhost on the port 9050. It is the default Tor configuration port. So you need to start the Tor service on your system and you can use proxychains with your browser. Now, all the connections will go through the tor network.

$sudo service tor start

You can also link other proxies with the Tor to get better anonymity.

Why you should use it?

You may think that using Proxychains is going overboard to stay anonymous. I completely agree. For normal users, VPN does all the job for them. Proxychains shines in providing complete anonymity for people working in the cybersecurity domain. You should not leave any trail of your system when you are pen-testing, data sniffing, etc. That is why proxychain is mainly used along with network tools such as Nmap.

$proxychains nmap 192.168.1.10

If you want complete anonymity on the internet, Proxychains is the best tool that you can use. For the rest of us, Betternet or Proton VPN would suffice.

Hi, I'm dhanush ï£¿

dhanush  — Wed, 07 Jun 2017 14:08:16 +0000

I have been coding for 6 months.

You can find me on Twitter as @dhanush_ramuk

I live in Coimbatore.

I work for me.

I mostly program in : Python.

I am currently learning more about Machine Learning.

Nice to meet you.